Important publication of new CSSF circular on outsourcing arrangements

Important publication of new CSSF circular on outsourcing arrangements

On 22 April 2022, the CSSF published a new circular 22/806 on outsourcing arrangements (CSSF Circular 22/806).

CSSF Circular 22/806 consists of three parts:

• the general part on outsourcing arrangements with its definitions, scope, principles and governance requirements and particularly, giving insight on the assessment of important or critical functions and providing a detailed view on what information needs to be reflected in an outsourcing policy. It should be noted that items 59 and 60 of this general part apply to the ICT specific part below;
• specific ICT outsourcing requirements differentiating between ICT outsourcing arrangements relying on a cloud computing infrastructure and those that do not rely on any clouds; and
• application date.

It should be noted that CSSF Circular 22/806 should be read in conjunction with:

• the new CSSF circular 22/805 – Revised EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02) – Publication of Circular CSSF 22/806 on outsourcing arrangements – Repeal or amendments of certain circulars CSSF (CSSF Circular 22/805 and together with the CSSF Circular 22/806, the New CSSF Circulars); and
• the related frequently asked questions (FAQ).

Please also note that several CSSF circulars (including the CSSF circular 17/654 on IT outsourcing relying on a cloud computing infrastructure, as amended (Cloud Circular)) will be amended or repealed further to the above.

Who is affected?

The New CSSF Circulars and FAQ apply to:

• credit institutions and professionals within the meaning of the law of 5 April 1993 on the financial sector, as amended (LFS);
• payment institutions and electronic money institutions within the meaning of the law of 10 November 2009 on payment services (LPS);
• all investment fund managers subject to Circular CSSF 18/698 concerning the authorisation and organisation of investment fund managers incorporated under Luxembourg law; specific provisions on the fight against money laundering and terrorist financing applicable to investment fund managers and entities carrying out the activity of registrar agent (Circular CSSF 18/698);
• all undertakings for collective investment in transferable securities subject to Part I (UCITS) of the law of 17 December 2010 relating to undertakings for collective investment (UCITS Law) which designate a management company within the meaning of the UCITS Law;
• all central counterparties (CCPs), including Tier 2 third-country CCPs, complying with the relevant requirements of EMIR;
• all approved publication arrangements (APAs) with a derogation and authorised reporting mechanisms (ARMs) with a derogation within the meaning of the LFS;
• all market operators operating a trading venue within the meaning of the LFS;
• all central securities depositories (CSDs); and
• all administrators of critical benchmarks.

What does CSSF Circular 22/805 say?

CSSF Circular 22/805 informs the public that the CSSF applies the revised EBA Guidelines and integrates them into its regulatory approach via the new CSSF Circular 22/806. It clarifies that while the revised EBA Guidelines apply to credit institutions, investment firms and electronic money and payment institutions, CSSF Circular 22/806 foresees a wider scope of applicability (as shown above) and that the aim is to harmonise the outsourcing provisions applying to regulated entities at Luxembourg level and compiling them in one single circular.

What does CSSF Circular 22/806 say?

In particular, CSSF Circular 22/806 reflects:

• a clarification on the requirements relating to the outsourcing process, including:
• stating that outsourcing arrangements on critical or important functions are subject to a prior notification requirement, and
• outsourcing agreements must include minimum contractual clauses on, among others, audit and access rights;
• an introduction to specific requirements for the management and oversight of the risks associated with, and the performance and soundness of, the outsourcing arrangements including:
• the creation of an outsourcing function, where relevant and subject to the principle of proportionality;
• requirement to maintain a register for all outsourcing arrangements that can be used by competent authorities in the context of their prudential supervision;
• the guidance on internal control functions related as well as financial and accounting function related outsourcing arrangements;
• the definition of criteria on the assessment of outsourcing arrangements and (more stringent) identification criteria of important and critical functions; and
• alignment of the definition of outsourcing to the MiFID framework. 

Which existing CSSF circulars will be amended?

The CSSF will amend the following existing CSSF circulars as of 30 June 2022:

• Circular CSSF 12/552 as amended, concerning the central administration, internal governance and risk management
• Circular CSSF 20/758 as amended, concerning the central administration, internal governance and risk management
• Circular IML 95/120 concerning the central administration
• Circular IML 96/126 concerning the administrative and accounting organisation
• Circular IML 98/143 as amended, concerning the internal control
• Circular CSSF 04/155 concerning the compliance function

Please note that the amended versions of the above-mentioned CSSF circulars and the related mark-up is already available as appendix 1 to CSSF Circular 22/805.

The CSSF will also amend, but at a later point in time, the following CSSF circulars:

• CSSF Circular 16/644 as amended, concerning the provisions applicable to credit institutions acting as UCITS depositary subject to Part I “and UCIs subject to Part II” of the Law of 17 December 2010 relating to undertakings for collective investment and all UCITS, where appropriate, represented by their management company
• Circular CSSF 18/697 concerning the organisational arrangements applicable to fund depositaries which are not subject to Part I of the UCITS Law and, where appropriate, to their branches; Amendment to Circular CSSF 16/644 regarding the provisions applicable to credit institutions acting as UCITS depositary subject to Part I of the UCITS Law, where appropriate, represented by their management company; and Amendment to Circular IML 91/75 (as amended by Circular CSSF 05/177) regarding the revision and recast of the rules to which Luxembourg undertakings governed by the Law of 30 March 1988 on UCITS are subject
• Circular CSSF 18/698

The CSSF has already outlined the amendments that would need to be made to those circulars and reflected such summary in appendix 2 of the CSSF Circular 22/805.

Which existing CSSF circulars will be repealed?

• Cloud Circular as well as its updating CSSF circular 19/714 concerning the update of the Cloud Circular
• Circular CSSF 13/554 concerning the evolution of the usage and control of the tools for managing information technology resources and the management of access to these resources
• Circular CSSF 15/611 concerning the management of the risks related to the outsourcing of systems that allow the compilation, distribution and consultation of management board/strategic documents
• Circular CSSF 17/656 as amended, concerning administrative and accounting organisation; IT outsourcing
• Circular CSSF 21/777 concerning the implementation of the Guidelines of the European Securities and Markets Authority (ESMA) on outsourcing to cloud service providers by amending the scope of the Cloud Circular
• Circular CSSF 21/785 concerning the replacement of the prior authorisation obligation by a prior notification obligation in the case of material IT outsourcing 

What do the FAQ say?

The CSSF’s FAQ clarify the applicability of part 2 of the new CSSF Circular 22/806 to IFM as concerns ICT outsourcing relying or not on cloud computing infrastructures. Hence, in relation to ICT outsourcing, the process of assessing whether the outsourcing arrangement falls within the meaning of the definition of outsourcing as defined in CSSF Circular 22/806 and whether an important or critical function was outsourced or not has to be made with respect to ICT outsourcing pursuant to such CSSF Circular 22/806.

However, other general outsourcing requirements referring, for example, to internal control functions and financial and accounting function do not apply to IFM as they are not related to ICT outsourcing. As such, CSSF Circular 18/698 applying to IFM remains the baseline for IFM, but gets supplemented, where applicable, and concerning ICT outsourcing, by section 4.2 of CSSF Circular 22/806, noting that section 5.1.2 is to some extent overridden by CSSF Circular 22/806.

The FAQ further clarify that the concept of small entities and significant in-scope entities does not apply to IFM, while however, the principle of proportionality remains applicable and empasises the importance of IFM’s obligation to have an outsourcing policy and the requirements it has to fulfil as per the new CSSF Circular 22/806 as well as the maintenance of an outsourcing register.

As to the notification process, the FAQ clarify the notification requirement to the CSSF and the implementation of any projects after the notice period of one or three months, respectively, with the CSSF’s reserved right to raise any regulatory concerns afterwards and that any non-reaction would not mean an explicit approval of the notified project.

From when do the new provisions apply?

CSSF Circular 22/806 applies as of 30 June 2022. However, by derogation to point 4, points 59 and 60 of the Circular CSSF 22/806 on prior notification apply with immediate effect for ICT outsourcing only, while the corresponding provisions governing the approval and notifications comprised in the currently applicable version of the concerned circulars CSSF should be read as referring to points 59 and 60 of the Circular CSSF 22/806.

CSSF Circular 22/806 requests entities falling within its scope to implement the provisions by 31 December 2022 and notify the CSSF if they think implementation will not be possible by that date.

Please do not hesitate to contact Laurent Massinon and Christina Nickel, should you have any questions on the above.